Asterisk Security

How to make your asterisk safer:


Asterisk Security

Quick Start


Hardware Firewall


Most Asterisk boxes should be located behind a hardware firewall. Configure the firewall to block traffic from anyone that doesn't need to connect to you. Allow your VoIP provider, any remote phones/users, and others that may need to connect, but keep the restrictions as tight as possible. If you do have remote users, lock your firewall down to only allow those users to connect if possible, rather than opening it to the entire internet. If you have mobile users this may not be an option however.

Other services, such as SSH should be blocked by the hardware firewall.

Software Firewall


Implement a software firewall if possible, using Linux IP Chains. The rules should be similar to the hardware firewall, with the possible addition of additional rules to protect against attacks originating on the local LAN.

Fail2Ban


Implement Fail2Ban to prevent denial of service attacks (password guessing can cause excessive CPU utilization).

Strong Passwords


All remote users should have strong, alpha-numeric passwords. These should be long. They should NEVER be the same as the username or based on the user's extension.

Default Context


Your default context in extensions.conf should be empty. This context is used when other contexts might not match a peer. You should explicitly refer to a non-default context for remote SIP calls.

sip.conf configuration


In the general section, define:


[general]
...
context=bogus
allowguest=no
alwaysauthreject=no
...


The context line will refer to a context (which you *must define* in extensions.conf!) that should handle "default" SIP calls. This should go to a context with nothing in it (unless you want to play with them - then, if you have the bandwidth, feel free to play a recording or such!). Obviously if you want to accept anonymous SIP calls, send them to the proper context (but *never* a context that can dial out!).

The "allowguest" line disables anonymous SIP calls to your PBX. Some SIP providers connect as a guest user, however, so this may be inappropriate for your situation. Also, if you want to accept anonymous SIP calls, this line would block them, so you wouldn't want that. But it is listed here because it is the safest configuration.

The "alwaysauthreject" line is important. This causes a hacker to get the same response from your PBX when they try to guess passwords whether or not they guessed a valid username. This also has the side-effect of making poorly written scanning scripts (the vast majority of hacker scripts seem to be poorly written) take less resources on your Asterisk box, as even if they scan a valid username, they'll think it doesn't exist.

In addition to these, verify that all peers listed in sip.conf are valid and have strong passwords.

iax.conf


(I'm hoping others will fill in this section - I block IAX)

Dialplan


Do your users need to be able to dial internationally? If not, make sure your dialplan blocks international calls (in the US, these calls start with a 011 typically, although some countries "look like" US numbers - so also block calls to area codes that don't correspond to areas you call). You may be able to request your provider also blocks international calls. If you only have SOME users that need to call internationally, place them in a different context than the rest of your users.

Logs, CDR


Review your logs and CDR at least daily. Even one day of illegitimate calls can add up to tons of money quickly.